SSD Content Encryption and Authentication

1. A storage device, comprising: a storage interface, configured to be connected, through a storage interface switch of a host computer: to a processor of the host computer, and to a network adapter of the host computer; a processing circuit; and persistent storage media, the processing circuit being configured to: read first data from the persistent storage media in response to a read command received, from the processor, through the storage interface switch, and through the storage interface, the first data being unencrypted; transmit second data through the storage interface, through the storage interface switch, and through a network interface using the network adapter, the second data being based on the first data; receive a write command, with third data, through the storage interface; write fourth data, based on the third data, to the persistent storage media, the fourth data being unencrypted; and perform a cryptographic operation on the first data or on the third data.

2. The storage device of claim 1 , wherein the cryptographic operation is performed on the first data and comprises encrypting the first data to form the second data and an authentication tag.

3. The storage device of claim 2 , wherein the processing circuit is further configured to retrieve an encryption key, and to perform the cryptographic operation with the encryption key.

4. The storage device of claim 1 , wherein the cryptographic operation is performed on the third data and comprises decrypting the third data to form the fourth data.

5. The storage device of claim 4 , wherein the processing circuit is further configured to retrieve an encryption key, and to perform the cryptographic operation with the encryption key.

6. The storage device of claim 1 , wherein the persistent storage media comprises flash memory.

7. The storage device of claim 1 , wherein the processing circuit comprises a dedicated encryption circuit, and the performing of the cryptographic operation comprises performing the cryptographic operation by the dedicated encryption circuit.

8. The storage device of claim 7 , wherein the dedicated encryption circuit comprises a hardware encryption engine.

9. The storage device of claim 1 , wherein: the processing circuit is further configured to transmit the second data directly to the network adapter, and the processing circuit is further configured to receive the third data directly from the network adapter.

10. A method, comprising: reading, by a storage device, first data from persistent storage media in the storage device, in response to a read command received from a processor of a host computer, through a storage interface switch of the host computer, and through a storage interface of the storage device, the first data being unencrypted; transmitting second data through the storage interface, through the storage interface switch, and through a network adapter of the host computer, the second data being based on the first data; receiving a write command, with third data, through the storage interface; writing fourth data, based on the third data, to the persistent storage media, the fourth data being unencrypted; and performing a cryptographic operation on the first data or on the third data, wherein the storage interface is connected, through the storage interface switch: to a processor of the host computer, and to the network adapter of the host computer.

11. The method of claim 10 , wherein the cryptographic operation is performed on the first data and comprises encrypting the first data to form the second data and an authentication tag.

12. The method of claim 11 , further comprising retrieving an encryption key, wherein the performing of the cryptographic operation comprises performing the cryptographic operation with the encryption key.

13. The method of claim 10 , wherein the cryptographic operation is performed on the third data and comprises decrypting the third data to form the fourth data.

14. The method of claim 13 , further comprising retrieving an encryption key, wherein the performing of the cryptographic operation comprises performing the cryptographic operation with the encryption key.

15. The method of claim 10 , wherein the persistent storage media comprises flash memory.

16. The method of claim 10 , wherein the storage device comprises a dedicated encryption circuit, and the performing of the cryptographic operation comprises performing the cryptographic operation by the dedicated encryption circuit.

17. The method of claim 16 , wherein the dedicated encryption circuit comprises a hardware encryption engine.

18. The method of claim 10 , wherein: the transmitting of the second data through the storage interface comprises transmitting the second data directly, by the storage device, to the network adapter; and the receiving of the write command, with third data, comprises receiving the third data directly, by the storage device, from the network adapter.